Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf


Chronological Thread 
  • From: Doug Wussler <>
  • To: Michael Johnson <>
  • Cc: "" <>
  • Subject: Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf
  • Date: Thu, 21 Dec 2017 18:09:54 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:IZX1chCCeIZfgHIBfpXNUyQJP3N1i/DPJgcQr6AfoPdwSPX7p8bcNUDSrc9gkEXOFd2Cra4c0qyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUmTaxe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFUBogCzBRW3C+Pq1jNEmmP60K883u88EQ/GxgsgH9cWvXraq9X1KagSWv21w6nV1jXDdPdW1inn6IPVdR0uvPaMXa9/ccbLx0gvChjFjk6UqYP7JTOYzeoNs3OG7+Z6S+2glnMnphh3rzOyxckskpHEipwPxVzY6Cl0xZs5KcClREN+b96pH4dcuz2fOot4XMwvTHxktSM/x7AHp5K0ZzAGxIk5yxPccfCLbouF7xP5WOufLzp0nmxpdK6jixu07EOu0PfzVtOu31ZPtidFksfDtnQK1xHL8saKVvxz8lu81TqWyg3d8u9JLVkzlaXANZEt2LkwlocPsUvYGS/2hUP2g7KMekU84Oio7Pjnbav6qZ+ANo90jQf+Pr4pmsyiHeQ4Ng8OX2+Y+eimyLLj+kj5TK1Ljv0wjKbZrIjXKdoBqaKlHgNY15sv5wuiAzqj3tQVkmULIE5AdRKJkYfkNEzCLfX9APq+nVijiy9nx/XcMb3gBpXNIGLDkLDkfbtl9kFczxczzd9F65NaF7EBO+nzWkvvu9zCFRI5PRe0w/v9BNpjy4weRHqDArWFP6PKrV+I+uUvLvGUZIALojb9JeMl5/nojXAjg18RZLSp3YAJZ3CiBflmJ0SZYWHwgtcaD2sGpAs+TOr2iFKcSz5TYWi9X74i6j0hFo2pEJrDFciRh+mk3Sy7F5BSLkJBClaXFnGgI4CGC60kZyaVKMZllDsPE7m8DYItyEf9mhX9zu9LKffbshIFronn2cI9s+HUiB506iFvFMCQyUmDVHwyk28VEWxllJtjqFBwnw/QmZNzhOZVQJkKv6tE
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
Michael –

So that seems like a fine motivation, since our settings are even more
restrictive than the ones you implement, but you put them inside the
VirtualHost. From what I can see in my testing, I cannot override those
setting in another config file. If you could move them outside the virtual
host then I could do as you suggest. Is this something you could do? I
think that would accomplish your goal while allowing others to customize
those settings.

Doug



On 12/21/17, 12:15 PM, "Michael Johnson"
<>
wrote:

Hi Doug,

The SSL Protocol/CipherSuite values are modified by our packages because
if we don't update these, older/weaker ciphers are allowed, which is a
security issue; in fact, various web application scanners people are using
complain about this. This is why we have made the change.

I haven't tried this, but I believe you could set the values you want in
a separate config file, and they wouldn't get overwritten. You would want to
create a new file, something like this:

/etc/httpd/conf.d/zciphers.conf

You would then put the desired ciphers in this file and it would override
the settings in ssl.conf. The files in conf.d/*.conf are read in aphabetical
order, so by changing the filename you can control the order they load (hence
the 'z' above). The later includes override earlier ones.

Thanks,
Michael

On Thu, Dec 21, 2017 at 04:59:51PM +0000, Doug Wussler wrote:
>Is there some reason why you are modifying the values of “SSLProtocol”
and “SSLCipherSuite” in the SSL.CONF file when updates are applied?
>
>I have more restrictive settings for these parameters. Whenever an
update runs it updates these values and we end up with a corrupt value for
SSLCipherSuite and then the service can’t restart.
>
>Does this config file need to be included in your update procedures? If
not, can you please remove it so that it doesn’t overwrite custom settings?
>
>Doug
>
>
>Doug Wussler
>850.645.4201
>Information Technology Services
>Florida State University
>RK Shaw Building
>644 W. Call Street
>Tallahassee, FL 32304
>

--
Michael Johnson
GlobalNOC Software Engineering
Indiana University


812-856-2771




Archive powered by MHonArc 2.6.19.

Top of Page